Description
In the Linux kernel, the following vulnerability has been resolved:

batman-adv: v: stop OGMv2 on disabled interface

When a batadv_hard_iface is disabled, its mesh_iface pointer is set to
NULL. However, batadv_v_ogm_send_meshif() may still dispatch OGMs via
batadv_v_ogm_queue_on_if() for interfaces that have since lost their
mesh_iface association. This results in a NULL pointer dereference when
batadv_v_ogm_queue_on_if() unconditionally calls netdev_priv() on the
now NULL hard_iface->mesh_iface to retrieve the batadv_priv.

It is necessary to ensure that the batadv_v_ogm_queue_on_if() checks that
it is using the same mesh_iface for which batadv_v_ogm_send_meshif() was
called.
Published: 2026-06-24
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A NULL pointer dereference in the batman‑adv module causes the kernel to crash when OGM packets are sent over an interface that has been disabled. The fault triggers a dereference of a now‑NULL mesh_iface pointer and results in a kernel panic, bringing the host down and terminating all services. This represents a high‑impact denial‑of‑service weakness (CWE‑476).

Affected Systems

The bug lives in the Linux kernel’s batman‑adv (B.A.T.M.A.N. advanced) network driver. Any Linux system that has a kernel build including batman‑adv and that allows OGM traffic on interfaces that can be disabled is potentially affected. All current kernel releases before the specific commit that fixed the issue contain the vulnerable code.

Risk and Exploitability

Based on the description, it is inferred that the attacker must have local or privileged access to configure batman‑adv and trigger OGM traffic on a disabled interface. This inference is not directly stated in the advisory. The EPSS score is not available and the vulnerability is not in the CISA KEV catalog, implying no publicly documented exploitation exists at this time. Although no CVSS score is published, the NULL dereference that leads to a kernel crash indicates high risk for availability.

Generated by OpenCVE AI on June 24, 2026 at 14:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest stable Linux kernel release that contains the batman‑adv fix committed in the kernel git repository.
  • If an upgrade is not feasible, manually apply the patch from the kernel commit(s) referenced in the advisory, rebuild the kernel, and reboot the host.
  • Temporarily disable batman‑adv or the specific interface that can be disabled to stop OGM traffic until the patch or manual fix is in place.

Generated by OpenCVE AI on June 24, 2026 at 14:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Thu, 25 Jun 2026 00:15:00 +0000


Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 24 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: batman-adv: v: stop OGMv2 on disabled interface When a batadv_hard_iface is disabled, its mesh_iface pointer is set to NULL. However, batadv_v_ogm_send_meshif() may still dispatch OGMs via batadv_v_ogm_queue_on_if() for interfaces that have since lost their mesh_iface association. This results in a NULL pointer dereference when batadv_v_ogm_queue_on_if() unconditionally calls netdev_priv() on the now NULL hard_iface->mesh_iface to retrieve the batadv_priv. It is necessary to ensure that the batadv_v_ogm_queue_on_if() checks that it is using the same mesh_iface for which batadv_v_ogm_send_meshif() was called.
Title batman-adv: v: stop OGMv2 on disabled interface
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T07:14:11.248Z

Reserved: 2026-06-09T07:44:35.367Z

Link: CVE-2026-52913

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52913 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T14:15:05Z

Weaknesses